The threat of a cyber-attack is far more dangerous now than it has been in the past, yet knowledge of the threat prevention systems necessary to protect oneself remain widely unknown.
Ransomware, in particular, has exploded as a problem. The frequency of such attacks is up almost 200% in the past two years. Severity is up, too — the average ransom demand has surged from roughly $10,000 to well north of $100,000. Combine those two issues, and ransomware is many times as big a problem for clients and insurers as it was two years ago.
Unless companies create more sophisticated protection systems, the problem will become even worse. Hackers are more astute, increasingly have access to inexpensive tools and have greatly expanded how and what they attack. There are even ransomware developers who sell or lease their ransomware, offering Ransomware-as-a-Service (RaaS).
In the past, attacks were relatively limited. When an employee clicked on an attachment that included a virus, the attack would encrypt the computer. There was minimal ability to spread to other computers, and individual computers were oftentimes backed up. This meant ransomware was frequently seen as just an inconvenience for a company and wasn’t as significant an issue for insurers as it is today.
Now, attackers use their initial entry into a computer as the starting point to work their way into a potentially huge network. The hackers lay traps and can generally find how and where the system’s sensitive information and backup server are located. With this information, the hacker can ensure that paying the ransom is the only way for a company to recover. An attack is often so devastating that the hackers can — and will — ask for exorbitant ransoms.
Tools for hackers are now inexpensive on the dark web, and hacker groups often coordinate. Perhaps one individual finds some credentials that allow a path into a system but isn’t sure how to exploit it. The person might sell the credentials on the dark web or hire some hacker known to be especially good at exploring and exploiting that kind of system; this is RaaS.
While some industries were considered to be relatively low-risk, that’s no longer the case. For instance, a few years ago, manufacturers were considered a target class for cyber insurance carriers because they were unlikely to store personal information, like credit card records. But now, they’re getting hit the hardest: Manufacturers are typically large companies with underdeveloped cyber security capabilities. Hackers would use this to their advantage and exploit these companies, which weren’t prepared for the onslaught of ransomware attacks.
Within the Tokio Marine HCC – Cyber & Professional Lines Group, we’ve been working with thousands of policyholders to better prepare them for attacks, and people understand the problem conceptually. Cyber is a serious consideration at the executive level and mandatory for business continuity and disaster recovery planning. The recent SolarWinds attack has reminded us all that even the best-protected government and business systems are vulnerable.
Based on simulations of attacks, we know that approximately 30% of those who receive a phishing email will click on a link that infects their system. Thorough training of staff on awareness and best practices reduces the number who fall for a phishing attack. With proper training, we’ve seen a reduction in exposure, whereby only 10% of employees fall for the trick when a hacker attacks; but that can still be enough for a catastrophe to happen, like the SolarWinds incident.
Training should be mandatory, but it shouldn’t be the only layer of defense for the network. Perimeter defense, secure backups and patch management are all critical. At present, Tokio Marine HCC provides a vulnerability scanning service for policyholders, which provides insights on vulnerable points of entry for hackers, including security vulnerabilities in policyholders’ perimeter and out-of-date software, to help the insured avoid becoming a victim.
To combat weak passwords, many companies are starting to require multi-factor authentication to safeguard access to their system. A person must use an alternate means to authenticate themselves through a code texted to a smartphone, provide biometric evidence of their identity through something such as an iris scan or verify their identity via another secondary means. This dramatically reduces the risk that a compromised password leads to a devastating attack.
Companies are moving toward a “zero trust” model to protect their systems. The idea behind this emerging model is to have virtual “hall monitors” to challenge every actor in the system and force that actor to revalidate itself before going into an additional “room.” In the past, companies would use a firewall to keep hackers out, but once hackers get past the wall they virtually have access to any “hall” in the network.
Companies should also be thinking about their outsourcing arrangements. Outsourcing can be cost-efficient, but if you have a 1,000-person company and only have three full-time people in IT, you’re likely to be using outside contractors. Issues may arise with disagreements regarding who is responsible patching systems or monitoring the network for suspicious activity. Furthermore, Managed Service Providers (MSPs) are being targeted by hackers and, if the hackers gain unauthorized access, are being used to launch ransomware attacks against their clients.
At Tokio Marine HCC – Cyber & Professional Lines Group, we apply our expertise and use our scale to make deals on behalf of clients to create a package of security services from leading providers. These packages involve, for instance, CrowdStrike, which provides endpoint detection security; Cisco’s Duo, a leading service provider of multi-factor authentication; and many others. We provide the bundling of these services at a discount off the market price, as well as with a discount on premiums, because, based on our data, we’re confident that our clients are less vulnerable with solutions such as these.
However achieved, reducing vulnerability helps both our company and our clients. We view this as a mutual relationship. If we can keep our claims costs as low as possible, our premiums can be as low as possible. However, it is critical for our insureds to focus on cyber security, so they are not an easy target for hackers. Whether a company has insurance or not, an attack is hugely disruptive, and, although we can transfer some of the financial costs, we can’t transfer everything. For instance, companies oftentimes still have to deal with being shut down for a stretch of time, while they hopefully recover their data and ramp back up.
Minimizing exposure to an attack is possible, but a company must invest in layers of network defenses, training and maintenance to stay ahead. Having the right insurance policy can protect you from the financial burden, but the reputational harm or missed opportunities that result from a cyber-attack can be very costly.
If you are unable to reduce your vulnerability, the problem could spiral out of control. Insurers will need to keep raising rates rapidly or will simply drop out of the market — supply is already dwindling. Clients may find rates so high that they will self-insure — at great risk.
At Tokio Marine HCC – Cyber & Professional Lines Group, we’re committed to the market, and demand for the insurance has never been greater. Our focus is staying on top of loss trends so we can help our clients continue to reduce risks and keep the problem manageable for all.
For more information about the Cyber & Professional Lines Group, please visit www.tmhcc.com/pro